Method for multiplying polynomials for a cryptographic operation

ABSTRACT

Various embodiments relate to a method for multiplying a first and a second polynomial in the ring  [X]/(X N −1) to perform a cryptographic operation in a data processing system, the method for use in a processor of the data processing system, including: receiving the first polynomial and the second polynomial by the processor; mapping the first polynomial into a third polynomial in a first ring and a fourth polynomial in a second ring using a map; mapping the second polynomial into a fifth polynomial in the first ring and a sixth polynomial in the second ring using the map; multiplying the third polynomial in the first ring with the fifth polynomial in the first ring to produce a first multiplication result; multiplying the fourth polynomial in the second ring with the sixth polynomial in the second ring to produce a second multiplication result using Renes multiplication; and combining the first multiplication result and the second multiplication result using the map.

TECHNICAL FIELD

Various exemplary embodiments disclosed herein relate generally tomethod for multiplying polynomials for a cryptographic operation.

BACKGROUND

The development of quantum computers threatens the security of certaincurrently widely used public key cryptography algorithms such as the RSA(Rivest-Shamir-Adleman) algorithm. Most recently, advances in quantumcomputing have accelerated the research into “post-quantum cryptography”schemes, that is, new cryptography schemes that are believed to besecure even when faced with an attacker using a quantum computer. Thereare various families of problems that are being considered toinstantiate these post-quantum cryptographic approaches. One approach isbased on the hardness of certain lattice problems. That is, solvingthese difficult lattice problems compromises the cryptography. Whenimplemented, computationally expensive operations of some proposedlattice-based post-quantum cryptography schemes include arithmetic withpolynomials with integer coefficients. Some currently used public-keycryptography algorithms require arithmetic of large integers, where theintegers may include hundreds or thousands of bits. In contrast, thecoefficients used for polynomial multiplication for lattice-basedalgorithms may be much smaller, e.g., 32 bits or less. Typically,special purpose processors are implemented in a data processing systemto offload the computationally difficult problems from the mainprocessor of the system. However, the special purpose co-processorscurrently used to implement existing RSA or Elliptic-curve cryptography(ECC) algorithms cannot efficiently and quickly perform the polynomialmultiplications required for lattice-based cryptography. Developing newspecial-purpose co-processors to perform the computations needed bylattice-based post-quantum cryptography efficiently and quickly isexpensive and time consuming.

SUMMARY

A summary of various exemplary embodiments is presented below. Somesimplifications and omissions may be made in the following summary,which is intended to highlight and introduce some aspects of the variousexemplary embodiments, but not to limit the scope of the invention.Detailed descriptions of an exemplary embodiment adequate to allow thoseof ordinary skill in the art to make and use the inventive concepts willfollow in later sections.

Various embodiments relate to a method for multiplying a first and asecond polynomial in the ring

[X]/(X^(N)−1) to perform a cryptographic operation in a data processingsystem, the method for use in a processor of the data processing system,including: receiving the first polynomial and the second polynomial bythe processor; mapping the first polynomial into a third polynomial in afirst ring and a fourth polynomial in a second ring using a map; mappingthe second polynomial into a fifth polynomial in the first ring and asixth polynomial in the second ring using the map; multiplying the thirdpolynomial in the first ring with the fifth polynomial in the first ringto produce a first multiplication result; multiplying the fourthpolynomial in the second ring with the sixth polynomial in the secondring to produce a second multiplication result using Renesmultiplication; and combining the first multiplication result and thesecond multiplication result using the map.

Various embodiments are described, wherein the first ring is

[X]/(X^(N/2)−1), and the second ring is

[X]/(X^(N/2)+1).

Various embodiments are described, wherein the first polynomial f isf=f₀+X^(N/2)f₁ in the ring

[X]/(X^(N)−1), wherein f₀ is a lower portion of the first polynomial andf₁ is an upper portion of the first polynomial, the third polynomial isf₀+f₁ in the first ring, and fourth polynomial is f₀−f₁ in the secondring.

Various embodiments are described, wherein the first polynomial and thesecond polynomial are of order N and the third polynomial, fourthpolynomial, fifth polynomial, and sixth polynomial are of order N/2.

Various embodiments are described, wherein multiplying the thirdpolynomial in the first ring with the fifth polynomial in the first ringto produce a first multiplication result further includes: mapping thethird polynomial into seventh polynomial in a third ring and an eighthpolynomial in a forth ring using the map; mapping the fifth polynomialinto a ninth polynomial in the third ring and a tenth polynomial in thefourth ring using the map; multiplying the seventh polynomial in thethird ring with the ninth polynomial in the third ring to produce athird multiplication result; multiplying the eighth polynomial in thefourth ring with the tenth polynomial in the fourth ring to produce afourth multiplication result using Renes multiplication; and combiningthe second multiplication result and the fourth multiplication resultusing the map to produce the first multiplication result.

Various embodiments are described, wherein the first ring is

[X]/(X^(N/2)−1), the second ring is

[X]/(X^(N/2)+1), the third first ring is

[X]/(X^(N/4)−1), and the fourth ring is

[X]/(X^(N/4)+1).

Various embodiments are described, wherein the first polynomial and theseconed polynomial are of order N, the third polynomial, fourthpolynomial, fifth polynomial, and sixth polynomial are of order N/2, andthe seventh polynomial, eighth polynomial, ninth polynomial, and tenthpolynomial are of order N/4.

Various embodiments are described, wherein the cryptographic operationis a lattice-based cryptographic operation.

Further various embodiments relate to a data processing systemcomprising instructions embodied in a non-transitory computer readablemedium, the instructions for multiplying a first and a second polynomialin the ring

[X]/(X^(N)−1) to perform a cryptographic operation in a processor, theinstructions, including: instructions for receiving the first polynomialand the second polynomial by the processor; instructions for mapping thefirst polynomial into a third polynomial in a first ring and a fourthpolynomial in a second ring using a map; instructions for mapping thesecond polynomial into a fifth polynomial in the first ring and a sixthpolynomial in the second ring using the map; instructions formultiplying the third polynomial in the first ring with the fifthpolynomial in the first ring to produce a first multiplication result;instructions for multiplying the fourth polynomial in the second ringwith the sixth polynomial in the second ring to produce a secondmultiplication result using Renes multiplication; and instructions forcombining the first multiplication result and the second multiplicationresult using the map.

Various embodiments are described, wherein the first ring is

[X]/(X^(N/2)−1), and

the second ring is

[X]/(X^(N/2)+1).

Various embodiments are described, wherein the first polynomial f isf=f₀+X^(N/2)f₁ in the ring

[X]/(X^(N)−1), wherein f₀ is a lower portion of the first polynomial andf₁ is an upper portion of the first polynomial, the third polynomial isf₀+f₁ in the first ring, and fourth polynomial is f₀−f₁ in the secondring.

Various embodiments are described, wherein the first polynomial and thesecond polynomial are of order N and the third polynomial, fourthpolynomial, fifth polynomial, and sixth polynomial are of order N/2.

Various embodiments are described, wherein the instructions formultiplying the third polynomial in the first ring with the fifthpolynomial in the first ring to produce a first multiplication resultfurther includes: instructions for mapping the third polynomial intoseventh polynomial in a third ring and an eighth polynomial in a forthring using the map; instructions for mapping the fifth polynomial into aninth polynomial in the third ring and a tenth polynomial in the fourthring using the map; instructions for multiplying the seventh polynomialin the third ring with the ninth polynomial in the third ring to producea third multiplication result; instructions for multiplying the eighthpolynomial in the fourth ring with the tenth polynomial in the fourthring to produce a fourth multiplication result using Renesmultiplication; and instructions for combining the second multiplicationresult and the fourth multiplication result using the map to produce thefirst multiplication result.

Various embodiments are described, wherein the first ring is

[X]/(X^(N/2)−1), the second ring is

[X]/(X^(N/2)+1), the third first ring is

[X]/(X^(N/4)−1), and the fourth ring is

[X]/(X^(N/4)+1).

Various embodiments are described, wherein the first polynomial and thesconed polynomial are of order N, the third polynomial, fourthpolynomial, fifth polynomial, and sixth polynomial are of order N/2, andthe seventh polynomial, eighth polynomial, ninth polynomial, and tenthpolynomial are of order N/4.

Various embodiments are described, wherein the cryptographic operationis a lattice-based cryptographic operation.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to better understand various exemplary embodiments, referenceis made to the accompanying drawings, wherein:

FIG. 1 illustrates a tree structure showing the recursive splitting of amultiplication to reduce the length of the multiplications required;

FIG. 2 illustrates a flow diagram for performing the multiplication oftwo polynomials by a processor; and

FIG. 3 illustrates, in block diagram form, data processing systemincluding a co-processor for multiplying two or more polynomials inaccordance with an embodiment.

To facilitate understanding, identical reference numerals have been usedto designate elements having substantially the same or similar structureand/or substantially the same or similar function.

DETAILED DESCRIPTION

The description and drawings illustrate the principles of the invention.It will thus be appreciated that those skilled in the art will be ableto devise various arrangements that, although not explicitly describedor shown herein, embody the principles of the invention and are includedwithin its scope. Furthermore, all examples recited herein areprincipally intended expressly to be for pedagogical purposes to aid thereader in understanding the principles of the invention and the conceptscontributed by the inventor(s) to furthering the art and are to beconstrued as being without limitation to such specifically recitedexamples and conditions. Additionally, the term, “or,” as used herein,refers to a non-exclusive or (i.e., and/or), unless otherwise indicated(e.g., “or else” or “or in the alternative”). Also, the variousembodiments described herein are not necessarily mutually exclusive, assome embodiments can be combined with one or more other embodiments toform new embodiments.

Lattice-based cryptography supports various commonly used cryptographicfunctionality such as exchanging secret keys, digital signatures,encryption, and decryption. In addition, lattice-based cryptographysupports other cryptographic functionality such as homomorphicencryption, and the like. Lattice-based cryptography has many practicalapplications such as establishing secure connections over a network(e.g., the internet), guaranteeing the integrity of software (e.g., whenupdating or booting a device) and performing cryptographic operations onencrypted data in the cloud. When implemented in either hardware orsoftware, many lattice-based constructions work on polynomials that aregenerated from random user input or publicly known seeds to enhanceperformance and reduce memory requirements. For example, in variouslattice-based cryptographic schemes, such as for example, an asymmetriccryptography scheme using a pair of keys, a user's private key of thekey pair includes a vector of polynomials having coefficients that aresampled randomly. A public key of the key pair is a matrix ofpolynomials having coefficients that are either public or generated froma public seed. The longest arithmetic operations carried out by theseimplementations are multiplications involving two polynomials, and theoperations may be repeated several times. The polynomials typically havea fixed, or finite, number of coefficients, while the coefficientsthemselves lie in a modular ring, such as the integers modulo a prime ora power of two. These are properties of the particular cryptographicscheme and are fixed by parameters of the scheme. Therefore, a needexists for a method to multiply two polynomials for a cryptographicapplication efficiently using existing co-processors.

A method to reduce polynomial multiplications in

[X] to integer multiplication was proposed by a mathematician named L.Kronecker as set out in “Grundzüge einer arithmetischen theorie deralgebraischen grössen, Journal für die reine and angewandte” Mathematik92 (1882), 1-122. This approach is known as the Kronecker substitutionmethod. In the approach, given two polynomials f, g∈

[X] of degree (up to) n−1∈

, the goal is to compute the polynomial multiplication h=f·g.Kronecker's idea is to evaluate the polynomials at a sufficiently highpower of two (e.g., f(

) and g(

)) and use the resulting integers as input for a regular integermultiplication by computing h(

)=f(

)·g(

). Finally, the resulting integer h(

) is converted back to its polynomial representation h∈

[X]. The result is correct if the coefficients of the resultingpolynomial did not “mix” with each other, i.e., if the parameter

∈

is sufficiently large. An advantage of this approach, computing apolynomial multiplication with an integer multiplication, is thatwell-studied and fast implementations of asymptotic integermultiplication methods can be used.

The size of the integers multiplied in the Kronecker procedure isstrongly related to the size of

. Simply put, the larger

, the larger the integers, and the variable

needs to be above a certain threshold in order to avoid “mixing” of thepolynomial coefficients and rendering the result incorrect. Amathematician named David Harvey observed in an article entitled “FasterPolynomial Multiplication Via Multipoint Kronecker Substitution” in theJournal of Symbolic Computation 44 (2009), no. 10, 1502-1510,incorporated herein by reference for all purposes, that the size of

can be reduced by splitting up the polynomial evaluation into two parts.Assuming for simplicity that

is even, and given f, g∈

[X], David Harvey computes

h(

)=f(

)·g(

),

h(−

)=f(−

)·g(−

),

where

₂=

/2. David Harvey then observes that

h ⁽⁰⁾(

)=(h(

)+h(−

))/2,

h ⁽¹⁾(

)=(h(

)−h(−

))/(2·

),

where h^((i)) denotes the polynomial whose jth coefficient equals the(2j +1i)th coefficient of h. In other words,

h ⁽⁰⁾(

)=Σ_(j=0) ^(n/2−1) h _(2j)

, and h ⁽¹⁾(

)=Σ_(j=0) ^(n/2−1) h _(2j+1)

The coefficients of h can therefore be recovered as the

-bit limbs h⁽⁰⁾(

) and h⁽¹⁾(

). Denoting by M(b) the cost of multiplying two b-bit integers, thisapproach changes the cost of the polynomial multiplication in

[X] from M(

·n)+O(

·n) in the case of standard Kronecker, to 2·M(

·n/2)+O(

·n). Here the O terms represent overhead and the cost of packing andunpacking. This has significant advantages whenever the cost ofmultiplying is more expensive than linear in n. Harvey also considers asecond approach to split up the evaluation into four parts by alsoevaluating at the reciprocal f(

), which gives rise to multiplication with a cost of 4·M(

·n/4)+O(

·n).

In an article entitled “Implementing RLWE-based schemes using an RSAco-processor,” by Martin R. Albrecht, Christian Hanser, Andrea Hoeller,Thomas Pöppelmann, Fernando Virdia, and Andreas Wallner, (IACRTransactions on Cryptographic Hardware and Embedded Systems, 2019(1),169-208), incorporated herein by reference for all purposes, the authorsrepurpose existing RSA/ECC co-processors for (ideal) lattice-basedcryptography with polynomial modulus m(X)=X²⁵⁶+1. The assumption is thatone has access to a co-processor which can provide efficient modulararithmetic for large moduli (up to a couple thousand bits). The idea isto apply Kronecker substitution (including the signed variant and themulti-point evaluation) to compute arithmetic in R_(q) using theexisting co-processors.

In the U.S. patent application Ser. No. 16/884,136 filed on May 27, 2020to Joost R. Renes et al. entitled “Method For Multiplying PolynomialsFor A Cryptographic Operation” (hereafter “Renes”), the observation ismade that ζ=X^(2N/t) is a principal t-th root of unity in the ring

[X]/(X^(N)+1). Hence the

N-bit multiplication can now be reduced through Kronecker to tmultiplications of

N/t bits each. Using the notation from above, the cost goes from M(

·N)+O(

·N) to t·M(

·N/t)+O(

·N). This is done by evaluating f and g at ζ^(i)·

for i=0, 1, . . . t−1 as opposed to only

and multiplying the respective factors modulo X^(N/t)+1. Renes isincorporated by reference for all purposes as if included herein.

More specifically, the integers

h(ζ^(i)

)=f(ζ^(i)

)·g(ζ^(i)

)mod(

+1), 0≤i≤t−1,

are computed and it is noted that

$\begin{matrix}{{{h^{(i)}( 2^{\ell} )} \equiv {\frac{\sum_{j = 0}^{t - 1}{\zeta^{i({t - j})}{h( {\zeta^{j} \cdot 2^{\ell_{t}}} )}}}{2^{i\ell}{t \cdot t}}{mod}\ ( {2^{\ell_{t}n} + 1} )}},{where}} & \end{matrix}$${h^{(i)}( 2^{\ell} )} = {\sum_{j = 0}^{{n/t} - 1}{h_{{2{tj}} + i}{2^{j\ell}.}}}$

To recover h, the appropriate

-bit limbs can be read off from the h^((i)). The method for multiplyingpolynomials in the ring

[X]/(X^(N)+1) as described above and in more detail in Renes willhereafter be called Renes multiplication. The use of the Renesmultiplication allows for the multiplication of polynomials in the ring

[X]/(X^(N)+1) to be computed more efficiently and may take advantage ofexisting cryptographic co-processors.

The main arithmetic operations used in lattice-based cryptographyinclude polynomial multiplication in the ring (

/q

)[X]/(m(X)) where typically q<2³². This makes it hard to directly applythe existing fast and hardened arithmetic co-processors designed forclassical public-key cryptography such as ECC and RSA. Embodiments wellbe described herein that can make use of this existing hardwareefficiently. In contrast to the approach taken in Renes that addressedthe case where m(X)=X^(N)+1 for N some power of 2, the embodimentsdescribed herein address the more complicated case of m(X)=X^(N)−1 for Nsome power of 2 that allows application to a wider variety oflattice-based schemes being considered for post-quantum standardization.

Computing polynomial arithmetic using integer arithmetic is not new:Kronecker substitution is a well-known technique which achieves this.The embodiments disclosed herein extend the tools which one can use forKronecker by using the properties of the special ring

[X]/(X^(N)−1) used in lattice-based cryptography. Although this ringdoes not initially have nice principal roots of unity that are neededfor number theoretic transforms (NTT), the embodiments described hereinshow how to use the map

ψ:

[X]/(X ^(N)−1)→

[X]/(X ^(N/2)−1)×

[X]/(X ^(N/2)+1)

to recursively apply the Renes multiplication to reduce

N-bit multiplications to t (approximately)

N/t-bit multiplications for positive integers t (that are powers of 2).This is much faster compared to the state-of-the-art and allows for theefficient re-use of existing hardware co-processors.

In Renes multiplication, it is crucial that in the ring

[X]/(X^(N)+1) the element ζ=X^(2N/t) is a principal t-th root of unity.Not only does this allow the application of an NTT, but also whenapplying Kronecker substitution, the element ζ is mapped to

which is a power of 2 allowing for efficient computations. This impliesthat multiplications by (powers of) ζ can be replaced by verycomputationally inexpensive bit shifts.

The same idea does not immediately apply when moving to the ring

[X]/(X^(N)−1), as is not principal. Although alternative principal rootsof unity exist, they will not correspond to powers of 2 when evaluatedat

in Kronecker substitution. Therefore multiplications by its powers willbe very costly. How to avoid that problem will now be illustrated.

The main construction is based on the map

ψ₀:

[X]/(X ^(N)−1)→

[X]/(X ^(N/2)−1)×

[X]/(X ^(N/2)+1),

f=f ₀ +X ^(N/2) f ₁

(f ₀ +f ₁ , f ₀ −f ₁).

This is initially not an isomorphism, but will be when extended tocoefficients over

(using CRT) with inverse ψ₀ ⁻¹:({circumflex over (f)}₀, {circumflex over(f)}₁)

(({circumflex over (f)}₀+{circumflex over (f)}₁)/2, ({circumflex over(f)}₀−{circumflex over (f)}₁)/2). This ensures that ψ₀ ⁻¹(ψ₀(f))=f forany f∈

[X]/(X^(N)−1), which suffices for purposes of this approach. It can alsobe viewed as a degree 2 NTT with (principal) root of unity −1∈

. This (combined with Kronecker) would reduce the

N-bit multiplication to 2 multiplications of ηN/2 bits each.

Now Renes multiplication may be applied to the multiplication in

[X]/(X^(N/2)+1) with (t/2)-th root of unity X^(N/t), reducing the (

N/2)-bit multiplication to t/2 multiplications of

N/t bits each. What remains is to perform an

N/2 -bit multiplication in

[X]/(X^(N/2)−1). Now recursion may be applied, using the map

ψ₁:

[X]/(X ^(N/2)−1)→

[X]/(X ^(N/4)−1)×

[X]/(X ^(N/4)+1),

f=f ₀ +X ^(N/2) f ₁

(f ₀ +f ₁ , f ₀ −f ₁),

which splits

[X]/(X^(N/2)−1) up into two multiplications of

N/4 bits each, one in

[X]/(X^(N/4)−1) and one in

[X]/(X^(N/4)+1). Again applying Renes multiplication to

[X]/(X^(N/4)+1) reduces the computation to t/4 multiplications of

N/t bits each. Continuing, the single

N/t-bit multiplication is reduced to t−1 multiplications in

[X]/(X^(N/t)+1) and a single multiplication in

[X]/(X^(N/t)−1), all of which are

N/t-bits.

FIG. 1 illustrates a tree structure showing the recursive splitting of amultiplication to reduce the length of the multiplications required.First, a multiplication in

[X]/(X^(N)−1) 105 is split into a multiplication in

[X]/(X^(N/2)−1) 115 and a multiplication in

[X]/(X^(N/2)+1) 110. The multiplication in

[X]/(X^(N/2)+1) 110 may be computed using Renes multiplication andrequires t/2 multiplications of

N/t bits each 112. Next, the multiplication in

[X]/(X^(N/2)−1) 115 is split into a multiplication in

[X]/(X^(N/4)−1) 125 and a multiplication in

[X]/(X^(N/4)+1) 120. The multiplication in

[X]/(X^(N/4)+1) 120 may be computed using Renes multiplication andrequires t/4 multiplications of

N/t bits each 122. Then, the multiplication in

[X]/(X^(N/4)−1) 125 is split into a multiplication in

[X]/(X^(N/8)−1) 135 and a multiplication in

[X]/(X^(N/8)+1) 130. The multiplication in

[X]/(X^(N/8)+1) 130 may be computed using Renes multiplication andrequires t/8 multiplications of

N/t bits each 132. At this point, the multiplication in

[X]/(X^(N/8)−1) 135 may be computed requiring 1 multiplication of

N/8 bits 137. In FIG. 1 t=8, but other values may be chosen to furtheriterate the splitting the process. The splitting may continue until thenumber of bits in the multiplication is less than the number of bitsthat an available co-processor is able to handle.

The computational complexity will now be described. For a Kroneckerexponent θ and a co-processor with word size w, computing the operationf

(f₀+f₁, f₀−f₁) in

[X]/(X^(2N/k)−1) has a cost of 2·θN/(kw) additions. Further, computingRenes multiplication in

[X]/(X^(N/k)+1) has a cost of

N/tw·(t/k)log(t/k) additions, where t is the total depth. Summing up allthe parts (e.g., as done in FIG. 1), a total cost is calculated as

${{\sum_{i = 1}^{\log t}\frac{2\ell N}{2^{i}w}} + {\sum_{i = 1}^{{\log{}t} - 1}{\frac{\ell N}{tw}\frac{t{\log( {t/2^{i}} )}}{2^{i}}}}} = {{\frac{\ell N}{w}{\sum_{i = 1}^{\log t}\frac{( {2 + {\log t} - i} )}{2^{i}}}} = {\frac{\ell N\log t}{w}.}}$

As the Renes multiplication has cost t log t·

N/(tw), the costs are seen to be equal but allows one to apply existinglarge number co-processors to a wider variety of cryptographic schemes.

Now a concrete example will be given of how to map a polynomial bysplitting it into a “lower part” f₀ and an “upper part” f₁. For examplewith N=8, define

f=1+2x+3x ²+4x ³+5x ⁴+6x ⁵+7x ⁶+8x ⁷.

Then using the map define

f ₀=1+2x+3x ²+4x ³,

and

f ₁=5+6x+7x ²+8x ³.

Here it can be seen that f₀ and f₁ have half the degree of f and thattheir coefficients correspond exactly to those of f. This works for an Nthat is divisible by 2.

Once f has been expressed as f=f₀+X^(N/2)f₁, f may be mapped it to twodifferent rings. The first ring is

[X]/(X^(N/2)−1) which essentially means a ring where X^(N/2)−1=0 orX^(N/2)=1. Mapping to that ring means that X^(N/2)→1, so thatf₀+X^(N/2)f₁

f₀+f₁. In the first ring

[X]/(X^(N/2)−1) calculations are done using f₀+f₁.

The other ring is

[X]/(X^(N/2)+1) which is a ring where X^(N/2)=−1. In this caseX^(N/2)→1, so f₀+X^(N/2)f₁

f₀−f₁. In the second ring

[X]/(X^(N/2)+1) calculations are done using f₀−f₁.

If F₀=f₀+f₁ and F₁=f₀−f₁, it can be seen that 2f=(F₀+F₁)+X^(N/2)(F₀−F₁).So f may be retrieved by adding and subtracting F₀ and F₁ and accountingfor the factor of 2. So, the basic intuition is that any polynomial fcan be split into two parts with an addition and subtraction, and it maybe recovered from its two halves also with an addition and subtraction.

This mapping also behaves very well with respect to multiplication. Iff=f₀+X^(N/2)f₁ and g=g₀+X^(N/2)g₁, f and g may be split into (f₀+f₁,f₀−f₁) and (g₀+g₁, g₀−g₁). Now multiply the two parts separately to get((f₀+f₁)(g₀+g₁), (f₀−f₁)(g₀−g₁)).

Finally perform the reconstruction step:

(f ₀ +f ₁)(g ₀ +g ₁)+(f ₀ −f ₁)(g ₀ −g ₁)=2(f ₀ g ₀ +f ₁ g ₁);

(f ₀ +f _(i))(g ₀ +g ₁)−(f ₀ −f ₁)(g ₀ −g ₁)=2(f ₀ g ₁ +f ₁ g ₀).

The polynomial 2(f₀g₀+f₁g₁)+2X^(N/2)(f₀g₁+f₁g₀) is recovered based uponthe mapping defined above.

On the other hand, multiplying f and g directly givesf·g=f₀g₀+X^(N/2)(f₀g₁+f₁g₀)+X^(N)f₁g₁. In the ring

[X]/(X^(N)−1) X^(N)=1, so f·g=(f₀g₀+f₁g₁)+X^(N/2)(f₀g₁+f₁g₀) moduloX^(N)−1. This is the same polynomial above except for a factor 2, whichcan easily be accounted for.

FIG. 2 illustrates a flow diagram for performing the multiplication oftwo polynomials by a processor. The multiplication 200 starts at step205. Then the processor receives the first and second polynomials tomultiply 210. Then the processor maps the first polynomial into a thirdpolynomial in a first ring and a fourth polynomial in a second ring 215.This may be done using the mapping

ψ₀ :

[X]/(X ^(N)−1)→

[X]/(X ^(N/2)−1)×

[X]/(X ^(N/2)+1),

f=f ₀ +X ^(N/2) f ₁

(f ₀ +f ₁ , f ₀ −f ₁)

described above. Next, the processor maps the second polynomial into afifth polynomial in the first ring and a sixth polynomial in the secondring 220 in the same manner as the first polynomial. The processor thenmultiplies the third polynomial in the first ring with the fifthpolynomial in the first ring 225. Next, the processor multiplies thefourth polynomial in the second ring with the sixth polynomial in thesecond ring 230. The multiplication in the second ring may use Renesmultiplication to efficiently perform this multiplication. Finally, theprocessor combines the two multiplications done in the two rings usingthe mapping to result in the multiplication of the two polynomials 235and then stops 240.

Methods 100 and 200 may use existing fast and hardened arithmeticco-processors designed for known public-key cryptography such as ECC andRSA. As described above, the method applies number theoretic transform(NTT) techniques and roots of unity to the Kronecker setting whichresults in a faster and more efficient solution on processors designedfor RSA and ECC calculations.

FIG. 3 illustrates, in block diagram form, data processing system 20including a co-processor 32 for multiplying two or more polynomials inaccordance with an embodiment. Data processing system 20 may be asystem-on-a-chip (SoC) implemented on a single integrated circuit, or itmay be a combination of chips. In other embodiments, integrated circuit10 may include another type of circuit such as an ASIC (applicationspecific integrated circuit), FPGA (field programmable gate array), orthe like, that can provide execute instructions. In one embodiment, dataprocessing system 20 may include metal-oxide semiconductor (MOS)transistors fabricated using a conventional complementary metal-oxidesemiconductor (CMOS) process. In another embodiment, data processingsystem 20 may include other transistor types, such as bipolar, and maybe manufactured with a different process.

Data processing system 20 includes communication bus 22, processor(s)24, memory 26, and cryptography co-processor 32. Bus 22 may be aconventional bus having a plurality of conductors for communicatingaddress, data, and control information. In other embodiments, bus 22 maybe an interconnect structure such as for example, a cross-bar switch orother form of interconnect system. Processor(s) 24 is bi-directionallyconnected to bus 22. Processor(s) 24 may include one or more of any typeof processing element, a processor core, microprocessor,microcontroller, field-programmable gate arrays (FPGAs),application-specific integrated circuits (ASICs), digital signalprocessor, and the like. There can be any number of processors.

Memory 26 is bi-directionally connected to bus 22. Memory 26 can be oneor more of any type of volatile or non-volatile memory. Examples ofmemory types include non-volatile memories such as flash, one-timeprogrammable (OTP), EEPROM (electrically erasable programmable read onlymemory), and the like. Volatile memory types include staticrandom-access memory (SRAM) and dynamic random-access memory (DRAM). Thememory may be used for storing instructions and/or data.

User interface 28 is bi-directionally connected to bus 22 and may beconnected to one or more devices for enabling communication with a usersuch as an administrator. For example, user interface 28 may be enabledfor coupling to a display, a mouse, a keyboard, or other input/outputdevice. User interface 28 may also include a network interface havingone or more devices for enabling communication with other hardwaredevices external to data processing system 20.

Instruction memory 30 may include one or more machine-readable storagemedia for storing instructions for execution by processor(s) 24. Inother embodiments, both memories 26 and 30 may store data upon whichprocessor(s) 24 may operate. Memories 26 and 30 may also store, forexample, encryption, decryption, and verification applications. Memories26 and 30 may be implemented in a secure hardware element and may betamper resistant.

Co-processor 32 is bi-directionally connected to bus 22. Co-processor 20may be a special type of a co-processor optimized for runningencryption/decryption security software according to the RSA, ECC, orAdvanced Encryption Standard (AES) or other type of commonly usedencryption algorithm. Accordingly, and in accordance with the describedembodiments, co-processor 32 may be used to efficiently executeinstructions for performing polynomial multiplications for post-quantumcryptography as discussed above and illustrated in the flowchart ofFIG. 1. The algorithm executed on co-processor 32 may be used toencrypt/decrypt data and instructions in data processing system 20.

The polynomial comparator and method described herein provides atechnological solution to improving ability to multiply two polynomialsin rings of the form of

[X]/(X^(N)−1) as required in many post-quantum cryptographic systems.The polynomial multiplier uses a mapping function to map the polynomialsto be multiplied into smaller polynomials over two different rings thathave an order of N/2. One mapped polynomial is over a ring

[X]/(X^(N/2)+1), and the multiplication of polynomials over this ringmay be efficiently calculated using Renes multiplication. The othermapped polynomial is over a ring

[X]/(X^(N/2)−1). If the word size of such multiplication is larger thanthe word size of the available cryptographic co-processor, then thepolynomials are further split again, and this process is repeated asdescribed in FIG. 1 until word size of the polynomial over a ring

[X]/(X^(N/t)−1) fits within the available cryptographic co-processor.This allows for multiplication over a ring

[X]/(X^(N)−1) to be split into multiplications that may fit within theavailable cryptographic co-processor and greatly reduces the size of themultiplications required as described above. This is an improvement overother methods that allow for the use of available cryptographicco-processors to carry out small multiplications so that the polynomialmultiplications may be carried out more efficiently.

As used herein, the term “non-transitory machine-readable storagemedium” will be understood to exclude a transitory propagation signalbut to include all forms of volatile and non-volatile memory. Whensoftware is implemented on a processor, the combination of software andprocessor becomes a single specific machine. Although the variousembodiments have been described in detail, it should be understood thatthe invention is capable of other embodiments and its details arecapable of modifications in various obvious respects.

Because the data processing implementing the present invention is, forthe most part, composed of electronic components and circuits known tothose skilled in the art, circuit details will not be explained in anygreater extent than that considered necessary as illustrated above, forthe understanding and appreciation of the underlying concepts of thepresent invention and in order not to obfuscate or distract from theteachings of the present invention.

Although the invention is described herein with reference to specificembodiments, various modifications and changes can be made withoutdeparting from the scope of the present invention as set forth in theclaims below. Accordingly, the specification and figures are to beregarded in an illustrative rather than a restrictive sense, and allsuch modifications are intended to be included within the scope of thepresent invention. Any benefits, advantages, or solutions to problemsthat are described herein with regard to specific embodiments are notintended to be construed as a critical, required, or essential featureor element of any or all the claims.

The term “coupled,” as used herein, is not intended to be limited to adirect coupling or a mechanical coupling.

Furthermore, the terms “a” or “an,” as used herein, are defined as oneor more than one. Also, the use of introductory phrases such as “atleast one” and “one or more” in the claims should not be construed toimply that the introduction of another claim element by the indefinitearticles “a” or “an” limits any particular claim containing suchintroduced claim element to inventions containing only one such element,even when the same claim includes the introductory phrases “one or more”or “at least one” and indefinite articles such as “a” or “an.” The sameholds true for the use of definite articles.

Unless stated otherwise, terms such as “first” and “second” are used toarbitrarily distinguish between the elements such terms describe. Thus,these terms are not necessarily intended to indicate temporal or otherprioritization of such elements.

Any combination of specific software running on a processor to implementthe embodiments of the invention, constitute a specific dedicatedmachine.

It should be appreciated by those skilled in the art that any blockdiagrams herein represent conceptual views of illustrative circuitryembodying the principles of the invention.

1. A method for multiplying a first and a second polynomial in the ring

[X]/(X^(N)−1) to perform a cryptographic operation in a data processingsystem, the method for use in a processor of the data processing system,comprising: receiving the first polynomial and the second polynomial bythe processor; mapping the first polynomial into a third polynomial in afirst ring and a fourth polynomial in a second ring using a map; mappingthe second polynomial into a fifth polynomial in the first ring and asixth polynomial in the second ring using the map; multiplying the thirdpolynomial in the first ring with the fifth polynomial in the first ringto produce a first multiplication result; multiplying the fourthpolynomial in the second ring with the sixth polynomial in the secondring to produce a second multiplication result using Renesmultiplication; and combining the first multiplication result and thesecond multiplication result using the map wherein the method allows averification, encryption, or decryption operation using themultiplication of the first polynomial and the second polynomial withinteger coefficients to be performed on the processor for post-quantumcryptography.
 2. The method of claim 1, wherein the first ring is

[X]/(X^(N/2)−1), and the second ring is

[X]/(X^(N/2)+1).
 3. The method of claim 1, wherein the first polynomialf is f=f₀+X^(N/2)f₁ in the ring

[X]/(X^(N)−1), wherein f₀ is a lower portion of the first polynomial andf₁ is an upper portion of the first polynomial, the third polynomial isf₀+f₁ in the first ring, and fourth polynomial is f₀−f₁ in the secondring.
 4. The method of claim 1, wherein the first polynomial and thesecond polynomial are of order N and the third polynomial, fourthpolynomial, fifth polynomial, and sixth polynomial are of order N/2. 5.The method of claim 1, wherein multiplying the third polynomial in thefirst ring with the fifth polynomial in the first ring to produce afirst multiplication result further comprises: mapping the thirdpolynomial into seventh polynomial in a third ring and an eighthpolynomial in a forth ring using the map; mapping the fifth polynomialinto a ninth polynomial in the third ring and a tenth polynomial in thefourth ring using the map; multiplying the seventh polynomial in thethird ring with the ninth polynomial in the third ring to produce athird multiplication result; multiplying the eighth polynomial in thefourth ring with the tenth polynomial in the fourth ring to produce afourth multiplication result using Renes multiplication; and combiningthe second multiplication result and the fourth multiplication resultusing the map to produce the first multiplication result.
 6. The methodof claim 5, wherein the first ring is

[X]/(X^(N/2)−1), the second ring is

[X]/(X^(N/2)+1), the third first ring is

[X]/(X^(N/4)−1), and the fourth ring is

[X]/(X^(N/4) +1).
 7. The method of claim 5, wherein the first polynomialand the sconed polynomial are of order N, the third polynomial, fourthpolynomial, fifth polynomial, and sixth polynomial are of order N/2, andthe seventh polynomial, eighth polynomial, ninth polynomial, and tenthpolynomial are of order N/4.
 8. The method of claim 1, wherein thecryptographic operation is a lattice-based cryptographic operation.
 9. Adata processing system comprising instructions embodied in anon-transitory computer readable medium, the instructions formultiplying a first and a second polynomial in the ring

[X]/(X^(N)−1) to perform a cryptographic operation in a processor, theinstructions, comprising: instructions for receiving the firstpolynomial and the second polynomial by the processor; instructions formapping the first polynomial into a third polynomial in a first ring anda fourth polynomial in a second ring using a map; instructions formapping the second polynomial into a fifth polynomial in the first ringand a sixth polynomial in the second ring using the map; instructionsfor multiplying the third polynomial in the first ring with the fifthpolynomial in the first ring to produce a first multiplication result;instructions for multiplying the fourth polynomial in the second ringwith the sixth polynomial in the second ring to produce a secondmultiplication result using Renes multiplication; and instructions forcombining the first multiplication result and the second multiplicationresult using the map wherein the method allows a verification,encryption, or decryption operation using the multiplication of thefirst polynomial and the second polynomial with integer coefficients tobe performed on the processor for post-quantum cryptography.
 10. Thedata processing system of claim 9, wherein the first ring is

[X]/(X^(N/2)−1), and the second ring is

[X]/(X^(N/2)+1).
 11. The data processing system of claim 9, wherein thefirst polynomial f is f=f₀+X^(N/2)f₁ in the ring

[X]/(X^(N)−1), wherein f₀ is a lower portion of the first polynomial andf₁ is an upper portion of the first polynomial, the third polynomial isf₀+f₁ in the first ring, and fourth polynomial is f₀−f₁ in the secondring.
 12. The data processing system of claim 9, wherein the firstpolynomial and the second polynomial are of order N and the thirdpolynomial, fourth polynomial, fifth polynomial, and sixth polynomialare of order N/2.
 13. The data processing system of claim 9, wherein theinstructions for multiplying the third polynomial in the first ring withthe fifth polynomial in the first ring to produce a first multiplicationresult further comprises: instructions for mapping the third polynomialinto seventh polynomial in a third ring and an eighth polynomial in aforth ring using the map; instructions for mapping the fifth polynomialinto a ninth polynomial in the third ring and a tenth polynomial in thefourth ring using the map; instructions for multiplying the seventhpolynomial in the third ring with the ninth polynomial in the third ringto produce a third multiplication result; instructions for multiplyingthe eighth polynomial in the fourth ring with the tenth polynomial inthe fourth ring to produce a fourth multiplication result using Renesmultiplication; and instructions for combining the second multiplicationresult and the fourth multiplication result using the map to produce thefirst multiplication result.
 14. The data processing system of claim 13,wherein the first ring is

[X]/(X^(N/2)−1), the second ring is

[X]/(X^(N/2)+1), the third first ring is

[X]/(X^(N/4)−1), and the fourth ring is

[X]/(X^(N/4)+1).
 15. The data processing system of claim 13, wherein thefirst polynomial and the sconed polynomial are of order N, the thirdpolynomial, fourth polynomial, fifth polynomial, and sixth polynomialare of order N/2, and the seventh polynomial, eighth polynomial, ninthpolynomial, and tenth polynomial are of order N/4.
 16. The dataprocessing system of claim 9, wherein the cryptographic operation is alattice-based cryptographic operation.